With the release of RHEL/CentOS 6.x there are some changes to the way clients authenticate using public keys over SSH with keys stored in OpenLDAP. I was able to get this working with the following modifications.
Pre-requisites:
* RHEL / CentOS 6.x
* openssh-ldap
Setup the sshd_config by setting up the AuthorizedKeysCommand. This will execute the ssh-ldap-wrapper and output the users public key:
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
Next, ensure a proper ldap.conf in /etc/ssh — be sure to setup the appropriate level of TLS security to suite your environment:
ldap_version 3 bind_policy soft binddn cn=readonly,ou=people,dc=example,dc=com bindpw secret ssl no ssl start_tls tls_reqcert never tls_cacertdir /etc/openldap/cacerts host 10.x.x.x port 389 base dc=example,dc=com
If the LDAP server is setup with the proper schema and contains public keys, this configuration should work.
For more information on how to setup the schema and insert public keys, review the documents here but be sure to note that things have changed with client configuration.
Leave a Reply